Hi,

We have a requirement to have a security model where consumers are granted access to a core stream (i.e., Stream ABC) by applying for group membership (i.e., QLIKSENSE_ABC_CONSUMER). The users would have access to all the apps  in the stream if they have membership to the corresponding consumer group.

However, we have a requirement to have certain apps within a stream be private. We would like the user to be required to be in the stream group as well as a private group to see these private apps (i.e., QLIKSENSE_ABC_PRIVATE_CONSUMER). We tried to write the following security rule, but it seems to not be working:

(

(user.environment.roles=resource.@Consumer and resource.@Hidden!="true")

or

(user.environment.roles=resource.@Consumer and resource.@Hidden="true" and user.environment.roles=resource.@Exception)

)

We are using SAML, so we pass through users' group memberships through an attribute called roles. We have a custom property called @Consumer which we apply to Streams and grant access if the @Consumer custom property matches one of the users' groups in the role attribute. In addition, we have a custom property on apps called @Hidden which we set to true if the app needs to be private and a custom property called @Exception to grant access to the private apps. 

If there is a better way of accomplishing our requirements, please suggest as we really would like to get something working...